Track a link click with ampersand and without front-end javascript

Question

I provide links to external websites in my NodeJS application. These take significant effort to find and I want to track the number of clicks. I prefer to avoid front-end JavaScript as I disable it in my browser. So far I have been using query parameters, such as:

router.get('/redir', async (req, res) => {
  let url = req.params.url;
  // my own tracking logic
  // ...
  res.redirect(url);
});

This code fails for links that already contain GET parameters, question marks, and ampersands. I tried this one:

router.get('/redir/:url', async (req, res) => {
  let url = req.params.url;
  res.redirect(url);
});

and the route is not even called.

How can I track link clicks that already contain ? and &?

Answer 1

Thanks to the comments, here is one way to do it:

router.get('/redir', async (req, res) => {
  let url = req.originalUrl.replace("/redir?url=", "");
  // logic: verify that this redirect is authorized to avoid Open Redirect and phishing.
  if (authorizedUrls.includes(url)) {
    return res.redirect(url);
  }
  return res.redirect("/404");
});

You should check if the URL is authorized to avoid the Open Redirect, a highly dangerous way of phishing listed as Common Weakness Enumeration 601:

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. Extended Description An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.

Source: https://serverfault.com/questions/1049139/name-and-severity-of-this-type-of-redirect-fraud/1049141#1049141.